Posts filed under ‘report’

As a term that most of us find intuitively easy to define, it turns out that getting a precise and generally accepted definition of the term ‘identity’ is far from easy.

The first question of course is whether it’s even worth the effort to try and get a precise definition. I think the answer is ‘yes’ for several reasons.

First, identity involves personal information and people expect that government collects and holds their personal information in a secure manner with their privacy appropriately protected.

Secondly, people need to prove who they are many times during a day. While typically people only need to do that with government infrequently, for a government agency it is of critical everyday importance to have confidence in the identity of the person they are dealing with. For example, an agency needs to be sure that government services are being delivered to the right person. Another example is ensuring that the right person has access to their own personal information such as health records or tax records.

On the one hand, people want convenient access to their information and government services. On the other hand, government as a whole has to manage the identity-related risks and ensure that the taxpayer’s money is spent well.

Finally, consider this quote from a recent report by Sir James Crosby to the UK Government, “… those countries with the most effective ID assurance systems and infrastructure will enjoy economic and social advantage, and those without will miss an opportunity. There is a clear virtuous circle. The ease and confidence with which individuals can assert their identity improves economic efficiency and social cohesion…”.

Looking around, both in New Zealand and overseas, we saw that most of the focus on ‘digital identity’ and ‘user-centric identity’. Also, ‘identity management’ is typically defined in technology terms such as ‘authentication’ and ‘authorisation’. And yet, all of these still don’t answer the fundamental question of just what ‘identity’ is in the first place.

To help get us a better insight into the thinking of the academic world and the approaches taken in some other countries, we turned to Victoria University of Wellington. Professor Miriam Lips, with the help of her student Chiky Pang, has now completed her report Identity Management in Information Age Government (PDF, 557 KB) and we have published it on the e-government website.

It turns out that the answer to our questions has a variety of answers. However, it does validate our current approach that one of the useful ways to look at identity is to consider that people have a single, unique identity but many context-dependent partial identities or personas. The result is more of an onion than linear, so that operating at the outer layers of the onion may not have any connection at all with the unique core:

Another interesting insight from the report is the move to an informational definition of identity from a document-based definition. The impact of the Information Age is to make it increasingly necessary for governments to consider identity information- its collection, verification, storage, maintenance, and disposal- rather than just the issue and use of identity documents.

As we look at these issues in finer and finer detail, it remains important to not lose sight of the basics. Such as, people own and control their own identity while government’s role is to manage their identity information well. And, the need to put theory into practice.

There were so many insights from attending focus groups during the igovt public consultation that it’s hard to pick just one. Certainly, one that made a lasting impression was a lady with a disability who spoke emotively about how the service would make a huge positive difference for her in getting services from government. For her, the notion of having to prove who she was once to government and then being able to choose to use the Internet to verify her identity- both across government and the private sector- was compelling.

The details and context for the service have evolved since the previous public consultation in 2003. It was therefore important to seek the views of the public about key aspects of the proposed service before the service design was finalised.

Public consultation was also essential for continuing the transparency that has been a hallmark of developing igovt services. In particular, for services based on policy principles such as opt-in and acceptability, it is important to check with people that the service design has resulted in a service that is indeed of value to them.

The public consultation process asked people to get information from the website and send in submissions. At the planning stage for the consultation it was clear that we needed to be more proactive to get deeper and wider participation.

21 focus groups were therefore held in 8 places across New Zealand- Whangarei, Manukau, Tokoroa, New Plymouth, Porirua, Westport, Christchurch, and Invercargill. The workshops were three hours long and included a demonstration of how the service would work. It turned out that the demonstration was critical in helping people understand the service and thereby provide well-informed responses.

I was personally present at a few of these workshops to do the demonstration and also answer any questions about the service that people had. For me, it was an immensely rewarding experience. To get firsthand insight into people’s views is far richer and meaningful than getting it from a report.

It’s become a bit of a worn cliché to say that the Internet is changing everything. Many things are obvious- from the read-write web to social networking to online transacting.

But there are also less obvious, more tectonic shifts happening. These are slow societal shifts that will ultimately change the shape of society itself. These deep changes are not readily apparent amongst the constant shrill of everyday headlines. Nevertheless, they are happening- every day, all the time, in imperceptible increments- leading to fundamental shifts stretching over years.

So it was with interest (and with a vested interest) that I read the results of the survey results from the UK’s Oxford Internet Institute as a part of a project called Me, My Spouse and the Internet. As the Institute’s Director said, “This study is a dramatic illustration of the potential for the Internet to reconfigure social relationships.”

The results from the study show the role played by the Internet in the relationships of a representative sample of over 2,000 married Internet users in UK. Some highlights include:

1. 20% of married Internet users admitted to reading their partner’s emails and text messages; 13% to having checked their partner’s browser history.

2. 6% of married Internet users first met their partner online. Just over a third of these were through an online dating site. People meeting future partners online had greater education and age gaps.

3. Face-to-face communication was (still) the most reported way for married Internet users to discuss personal matters and resolve problems but other channels were also used, including text messaging (27% of users), and email (14% of users).

4. Disclosing a partner’s intimate details and other shady online activities got a big thumbs down from partners.

Hmmm… there doesn’t seem to be anything about what married Internet users think about their partner’s blogging activity yet. Or if there any blogging widows out there. That’s a sign for me to move on…

It goes by the rather bureaucratic name of “Working Party set up under Article 29 of Directive 95/46/EC.” Its suggestions don’t have the force of law. But anyone ignoring its Opinion does so at their own peril.

“A key conclusion of this Opinion is that the Data Protection Directive generally applies to the processing of personal data by search engines, even when their headquarters are outside the EEA…” means that the EC is likely to impose the provisions of the Data Protection Directive on even the US-based search engines such as Google and Yahoo and hold them to the responsibilities of data controllers.

The Working Party refers to its earlier Opinion of June 2007 to re-affirm that “unless the Internet Service Provider is in a position to distinguish with absolute certainty that the data correspond to users that cannot be identified, it will have to treat all IP information as personal data, to be on the safe side.” In other words, IP addresses are personal information and therefore the full weight of data protection laws applies. Google was, as one would expect, quick to defend its practices.

The Working Party covered a broad swath of issues, saying it expects search engines, among other things, to:

Use personal data- ranging from search query histories to IP addresses and unique cookie identifiers- only for “legitimate purposes”

Destroy and anonymise that data when it’s no longer legitimately useful

Inform users about data collection and storage practices

Set cookies to have a lifetime “no longer than demonstrably necessary”

Dissociate a user’s IP address or other identifier from his or her stored search queries

Allow users to see whatever “personal data” is being stored about them, whether it be their past search queries or other data “revealing their behaviour or origin”

Respect Web site operators’ desires to opt out of having their properties crawled, indexed, and cached through use of mechanisms like the robots.txt file or the Noindex/NoArchive tags

Do more to prevent personally identifiable information- such as Social Security numbers, credit card numbers, telephone numbers, and e-mail addresses- from creeping into search results

This could become a big deal…with huge implications for both search engines and people.

For Kiwis, my pick is the interview (“fireside chat”) of TradeMe’s Sam Morgan (streaming video, mp3). For the identityrati there is Simon Willison on OpenID and decentralised social networks (streaming video, mp3).

In this Paper, he says “… our governments and citizens must together develop an agreement on the acceptable ways of gathering, storing and using data about citizens within a secure electronic service environment.”

“The future of electronic service provision in all European societies relies on development of a citizen-centred European trust network to underpin and facilitate the many secure electronic service networks under development at present.”

I interpret this in two ways.

First, that data breaches of government-held personal information, such as that in the UK recently, undermine the basic trust relationship between government and people. As I mentioned in my first post on this topic, “The real issue goes to the heart of governance and government: trust… The hard reality is that it is about trust and a loss of trust strikes at the very foundation of government.”

Secondly, if the trust fabric is strong, people and government can both benefit substantially from richer user-centric online services that require an identity backbone. The trust pact ensures that a framework that protects privacy and offers user-control is in place, i.e. a framework that both reflects and enhances the trust relationship. Without such a trust relationship, efforts in building a user-centric identity or information metasystem that involves the government as an Identity Provider is inherently flawed.

How, then, should the trust relationship be built and nurtured? The Think Paper offers a somewhat simplistic view on that vital question by recommending “achieving a balance between the need to hold data and the duty to use it and protect it responsibly.” Hopefully, a future Think Paper will do more justice to this critical question.

Frankly, sometimes I tire of hearing about user stupidity. The moaning of “if only users could be more careful” and “we need to educate our users better” ignores the reality of how online security really works in practice.

Phishing works because most online customers are unable to protect themselves. Expecting them to do so is simply a false hope and makes for poor security outcomes.

A study by Rachna Dhamija, J D Tygar, and Marti Hearst of Harvard University and UC Berkeley called Why Phishing Works (pdf 851 KB) provides empirical evidence about which malicious strategies are successful at deceiving general users. The study concludes that:

“…even in the best case scenario, when users expect spoofs to be present and are motivated to discover them, many users cannot distinguish a legitimate website from a spoofed website. In our study, the best phishing site was able to fool more than 90% of participants.” (emphasis added)

The study is worth reading in detail as it shows how common steps websites expect customers to take are, by a wide margin, unrealistic and amount to a flawed approach to online security.

The padlock, address bar changing colour, presence of favicon, animated graphics, “accept temporary certificate for this session”… all of these were either invisible or wrongly interpreted by most users.

Time for a test. If you saw the URL http://www.bankofthevvest.com would you accept it as that of Bank of the West? Look carefully, it should be “west” not “vvest” (i.e. “w” not two “v”s). This one fooled all but one of the participants.